The invention relates to a method for cryptographic authentication in access security systems. The aim of the invention is to provide a software solution. To this end, the method for secured storage of counter states in a non-volatile memory (eeprom) (10) involves an incrementing (11) process, and the current counter state is updated in only one eeprom segment following each incrementing process (11), a subsequent access to the eeprom (10) only being enabled in the event of a successful incrementing (11) of an eeprom-based counter.

PTO Wrapper PDF
Dossier Espace Google
Patent
   8195955
Priority
May 30 2006
Filed
May 16 2007
Issued
Jun 05 2012
Expiry
Dec 07 2028
Extension
571 days
Inventors
Nowottnick…
Assg.orig
NXP, B V
Assg.curr
MORGAN STA…
Entity
Large
Referenced by
0
References
11
Maint.:
all paid
REFERENCE LIST
1. A method for cryptographic authentication in an access security system, the method comprising:
incrementing consecutive counts in segments of an Electrically erasable programmable read-Only Memory (eeprom) by;
retrieving an invalid count in one of three eeprom segments;
detecting a maximum valid count from two remaining valid counts if an invalid count exists;
overwriting the invalid count with the maximum valid count;
when no invalid count exists, detecting a smallest valid count from three valid counts, wherein detecting the smallest valid count follows the retrieving step;
detecting a largest valid count from the three valid counts; and
overwriting the smallest valid count with the largest valid count, wherein the cryptographic authentication occurs after each successful execution of the incrementing step; and
after each incrementation, updating a current count in not more than one eeprom segment to produce an updated counter value; and
using each updated counter value as a changing initialization value in subsequent cryptographic authentications.
2. The method as claimed in claim 1, wherein the access security system is a transponder.
3. The method as claimed in claim 1, further comprising: determining the invalid count via a calculation of differences from the two remaining valid counts, where the invalid count has the largest difference from the two remaining valid counts.
4. The method as claimed in claim 1, further comprising: forming, with the eeprom-based count, a changing initialization value for a suitable cryptoalgorithm which serves to authenticate communication with the transponder.
5. The method as claimed in claim 1, further comprising: producing the consecutive counts in the event of each incrementation by an up-counter or a down-counter.
6. The method of claim 1, further comprising:
storing each new count in only one eeprom segment.
7. The method of claim 1, further comprising: recording each authentication sequence with ensuing eeprom access only once.
8. The method as claimed in claim 1, further comprising:
using a known counting rate to detect the invalid count.
9. The method of claim 1, further comprising: calculating two cryptographic signatures based upon both a changing value from a base station and a changing value from the access security system.
10. The method as claimed in claim 3, further comprising: defining threshold values for the differences from which a count is detected to be invalid.
11. The method of claim 5, wherein the up-counter is a stepsize up-counter.

The invention relates to a method for cryptographic authentication in access security systems.

In access security systems for automotive technology in present-day state of the art technology so-called mutual authentication protocols are implemented, in which the calculation of cryptographic signatures is based not only on secret keys but also on random numbers, which calculation is exclusively provided by a base station. In transponders for automotive applications only the vehicle base station provides the single changeable component for the calculation of the cryptographic signatures.

In the field of chip cards random number generators, which are often based on special RC oscillators, are also supported on the card nowadays. Such realizations in access security systems for automotive applications are hardly conceivable among other things for reasons of cost control.

An advantage of a solution in which also the card or the transponder respectively, provides an ever changing number is the increased attack resistance to what is called replay attacks. With these attacks and their derivatives a non-authorized base station (attacker) could attempt to read secured information from the transponder or modify information in the EEPROM memory of the transponder while using recorded valid communication sequences.

The solutions known from the state of the art are not obtained, however, by the exclusive use of software. It is rather hardware-software solutions, which usually require special hardware.

Therefore, it is an object of the invention to provide a cryptographic authentication method which is based exclusively on a cryptographic algorithm, more particularly, in transponder systems.

This object is achieved by the characterizing features of claim 1.

It is a basic idea of the invention to provide an algorithm that is particularly useful in transponders for the cryptographic authentication. According to the invention this is thus not a hardware-software solution, for which also special hardware is to be used at all times. Compared to other methods this saves EEPROM accesses which are based on the storing of redundant information. Each of the EEPROM segments is then exclusively used for storing counter data. On many occasions this enables a counter-data-optimized write access to the EEPROM segments for further increasing the permitted number of write cycles. In addition, implementation of the method requires only little calculation effort. Neither is it necessary to use special hardware for reliable generation of a changing code, which is often easier to retrieve and, in addition, more expensive than the solution based on the EEPROM. The method according to the invention makes use of the characteristic properties of counter values for the integrated storing of these values and for error recognition and error correction. In this way also an effective protection against replay attacks is provided. Because of the fact that after each incrementation a new count is updated in only one EEPROM segment, the number of permitted program cycles may be triplicated compared with the methods known from the state of the art, while at the same time attacks on the security system are made more difficult.

An advantageous embodiment of the invention provides that the incrementation comprises the following steps:

The advantage of such incrementation resides in the fact that any redundant storage is avoided but nevertheless there is achieved that when invalid contents of a memory segment are detected, the counting rhythm is not disturbed since the very memory segment in which invalid contents are detected is rewritten and thus again valid counts are stored in all three memory segments on the basis of which counts counting may be resumed. Since, in addition, the memory segments are exclusively used for storing counts, these operations may be optimized and thus an increase of the permitted number of write cycles may be achieved.

Advantageously, in step a) the invalid count is determined as discussed in detail in DE 10201554 A1 via a calculation of the difference from the two remaining counts where the invalid count has the largest differences from the remaining counts.

It is advantageous that threshold values for the differences are defined from which a count is detected to be invalid. If the threshold value is exceeded, it may be assumed that the relevant memory segment contains an invalid stored value. With a known counting rate there is also known what mutual differences the stored values of the memory segments are allowed to have as a maximum. If larger differences, thus exceeding the threshold value, occur for a stored value of a memory segment, there may be assumed that this stored value is invalid. Therefore, there may be assumed already when the threshold value is exceeded that the relevant memory segment is immediately sellected for storing the new count.

A particularly advantageous embodiment of the invention provides that the count based on the EEPROM or a value derived from this count forms a changing initialization value for a suitable cryptoalgorithm which is to be used for the authentication and/or encryption of the communication with a transponder.

Within the spirit and scope of the invention it is at this point a given fact that for the calculation of the two cryptographic signatures (MAC and Response) both a changing value of a base station, which generates a signal called challenge, and a changing value from the transponder are taken into account. As a result it may be ensured that a crypto session cannot be carried out multiple times and in this way forms of the replay attack can be avoided. In addition, within the spirit and scope of the invention it is to be observed that—as has already been noted—only in the case of a successful execution of the INCREMENT command access is given to the user EEPROM. Each authentication sequence with ensuing EEPROM access can then be recorded only once, because another count has already been used for generating the cryptodata.

A practical variant of the invention provides that the counts used in the incrementation come from an up-counter or a down-counter.

The following description relating to the appended drawing, the whole given by way of non-limiting example, will provide better understanding of how the invention can be realized, in which.

FIG. 1 shows a sequence of operations for secured counting and storing in an EEPROM in respect of an incrementation.

FIG. 1 shows a method 100 according to the invention in which the three EEPROM segments Z1, Z2 and Z3 are used for securedly storing consecutive counts. The method 100 according to the invention implies a sequence of operations for securedly counting and storing in an EEPROM 10 in the event of an incrementation 11, where the incrementation 11 is to be effected successfully in the application so as to subsequently come to a state in which an access (read, write) to the EEPROM 10 can be permitted, that is to say, only in the case of a successful execution of the INCREMENT command can access, i.e. read and write, be granted. In a first step a) an invalid count Zvalid is searched for in one of three EEPROM segments, that is to say, a query is made as to whether there exists an invalid count Zinvalid among the counts Z1, Z2 and Z3. If such an invalid count Zinvalid exists indeed, in a next step b) a maximum valid count is to be formed from the remaining valid counts Zi and Zj (i, j=1, 2, 3) if there exists an invalid count at all. The counter may in principle be an up-counter or a down-counter. In this example of embodiment it is assumed that it is a stepsize 1 up-counter. The invalid count in step a) is then determined via a calculation of the differences from the two remaining counts where an invalid count has the largest differences from the remaining counts. The memory value of such a memory segment is thus identified as being invalid and is overwritten with the new maximum count in step c). Thus this invalid count is removed from one of the memory segments of the EEPROM 10 and overwritten with a new valid count. If it is established that at this point no invalid count exists, in step d) a smallest valid count is chosen from the three valid counts while, in the event of non-existence of an invalid count, the method step d) follows immediately after method step a). Finally, in step e) a largest valid count is chosen from the three valid counts, so that in the subsequent step f) the smallest valid count can be overwritten with a valid maximum count.

The sequence of operations shown here for secured counting and storing in an EEPROM 10 loads the memory segments of the EEPROM 10 only to a limited extent, because each new count is stored in only one memory segment of the EEPROM 10 and, consequently, there is only a limited load on the EEPROM in respect of storing operations. In addition to this, since the differences are checked, there is a general check on the stored value so that in general the operational safety is enhanced. Thanks to the sequence of operations shown here the count based on the EEPROM or a value derived from this count forms a changing initialization value for a suitable cryptoalgorithm which serves to authenticate and/or encrypt the communication with a transponder 12. The method according to the invention thus provides a pure software solution which can be used for systems in which a high degree of cryptographic security is a must. Fields of application are particularly transponders 12.

REFERENCE LIST

INVENTORS:

Nowottnick, Juergen, Boeh, Frank

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
4774544, Feb 28 1986 Casio Computer Co., Ltd.; Casio Electronics Manufacturing, Ltd. Counter apparatus for an image forming apparatus for counting and managing the number of image forming operations
5887046, Nov 20 1997 Continental Automotive Systems, Inc Method, system, and device for accumulating data and maintaining the accumulated data
6687325, Jun 23 1999 Intel Corporation Counter with non-uniform digit base
6798695, Sep 10 2001 NXP B V Arrangement for storing a count
7039844, Jan 17 2002 CALLAHAN CELLULAR L L C Integrated circuit with self-testing circuit
7306158, Jul 10 2001 Liberty Peak Ventures, LLC Clear contactless card
20070046428,
20070101152,
DE10201553,
DE10201554,
EP1293938,
ASSIGNMENT RECORDS    Assignment records on the USPTO
///////////////
Executed onAssignorAssigneeConveyanceFrameReelDoc
May 11 2007NOWOTTNICK, JUERGENNXP, B V ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0218950842 pdf
May 16 2007NXP B.V.(assignment on the face of the patent)
Oct 29 2007BOEH, FRANKNXP, B V ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0218950842 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12298143 PREVIOUSLY RECORDED ON REEL 042762 FRAME 0145 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0511450184 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12298143 PREVIOUSLY RECORDED ON REEL 039361 FRAME 0212 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0510290387 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12298143 PREVIOUSLY RECORDED ON REEL 042985 FRAME 0001 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0510290001 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12298143 PREVIOUSLY RECORDED ON REEL 042762 FRAME 0145 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0511450184 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12298143 PREVIOUSLY RECORDED ON REEL 038017 FRAME 0058 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0510300001 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12298143 PREVIOUSLY RECORDED ON REEL 039361 FRAME 0212 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0510290387 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12298143 PREVIOUSLY RECORDED ON REEL 042985 FRAME 0001 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0510290001 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12681366 PREVIOUSLY RECORDED ON REEL 038017 FRAME 0058 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0429850001 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12681366 PREVIOUSLY RECORDED ON REEL 039361 FRAME 0212 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0427620145 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 12092129 PREVIOUSLY RECORDED ON REEL 038017 FRAME 0058 ASSIGNOR S HEREBY CONFIRMS THE SECURITY AGREEMENT SUPPLEMENT 0393610212 pdf
Feb 18 2016NXP B V MORGAN STANLEY SENIOR FUNDING, INC SECURITY AGREEMENT SUPPLEMENT0380170058 pdf
Sep 03 2019MORGAN STANLEY SENIOR FUNDING, INC NXP B V RELEASE BY SECURED PARTY SEE DOCUMENT FOR DETAILS 0507450001 pdf
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Nov 11 2015M1551: Payment of Maintenance Fee, 4th Year, Large Entity.
Sep 24 2019M1552: Payment of Maintenance Fee, 8th Year, Large Entity.
Sep 19 2023M1553: Payment of Maintenance Fee, 12th Year, Large Entity.


Date Maintenance Schedule
Jun 05 20154 years fee payment window open
Dec 05 20156 months grace period start (w surcharge)
Jun 05 2016patent expiry (for year 4)
Jun 05 20182 years to revive unintentionally abandoned end. (for year 4)
Jun 05 20198 years fee payment window open
Dec 05 20196 months grace period start (w surcharge)
Jun 05 2020patent expiry (for year 8)
Jun 05 20222 years to revive unintentionally abandoned end. (for year 8)
Jun 05 202312 years fee payment window open
Dec 05 20236 months grace period start (w surcharge)
Jun 05 2024patent expiry (for year 12)
Jun 05 20262 years to revive unintentionally abandoned end. (for year 12)